> Someone posted a quite clean and easy to understand way to create a filter > for port 80 the other day and I accidently erased it. Can someone send it > to me again. > > Thanks > Paul > > -- > Paul Monaghan (PM1819, paulm@ican.net) > Technical Team Leader - Internet - ACC Telenterprises Ltd. > bobCode: KItpd lWm EMC++ m7 CPE B0 Ol Lb SC Tx A5 H9o b2 > > ++ Ascend Users Mailing List ++ > To unsubscribe: send unsubscribe to ascend-users-request@bungi.com > To get FAQ'd: <<A HREF="http://www.nealis.net/ascend/faq">http://www.nealis.net/ascend/faq</A>> Subject: Re: (ASCEND) Assistance with Filters Date: Sat, 29 Nov 97 12:21:06 EST From: Tim Basher <basher@alpha.CES.CWRU.Edu> To: ascend-users@max.bungi.com > I've tried to understand filters... but the manual is useless, and the web > searching has produced little of use. Well the manual seemed pretty clear to me. What seems to be the problem? If you just follow your own description of what you are trying to do, you should be able to create the filter. #1 - You are trying to create a filter so go to the filter profile. Main Edit Menu > Ethernet > Filters > [unused filter] Add a name for the filter [Name=HTTP block] > I need to block all port 80 (web) OUTGOING (hmm why not incoming) traffic > from a range of IP addresses... for example 203.xx.xx.21-79 which is the > ip range of our 60 dialups. #2 - You say you want an "OUTGOING" filter so select "Output filters..." Select the first unused filter [say "Out filter 01"] Enable it by making it a valid filter ["Valid=Yes"] You are trying to block TCP/IP packets so make it an IP filter ["Type=IP"] #3 - You are trying to create an IP filter so select "Ip..." You say you want to block packets so you do not want to forward these packets ["Forward=No"] You say you do not want access to port 80 - this would be the destination port - the port the server is listening on. ["Dst Port Cmp=Eql", "Dst Port #=80"] You say you do not want access for the "web", so this would be TCP, which is IP protocol 6 ["Protocol=6"] Since you are trying to block the initial connection TCP request, not just the packets within the connection, use "TCP Estab=No" - the default (no change needed). You say you want to block traffic "from" a set of addresses so you need to use the "Src Adrs" and "Src Mask" fields to add this specification. This is the only tricky part, since you are not trying to block a network or subnet but just an arbitrary range of addresses. Your solutions are to (a) block a larger range of addresses (that matches a subnet) or (b) to use multiple rules that will block up to the full range or (c) to use multiple rules, one to block a larger range and then one or more to enable the necessary exceptions to the rule. I'll go the easy way and just block some extra addresses, since you want to "FORCE users" to use the web cache. You said "21-79". This does not fall fully into either of the 6-bit subnets 0-63 or 64-127, so picking the 7-bit subnet of 0-127 seems the only choice. So you want to match "Src Mask=255.255.255.128" and "Src Adrs=203.xx.xx.0" And there you have your filter. 90-504 Ip... Forward=No Src Mask=255.255.255.128 Src Adrs=203.129.22.0 Dst Mask=0.0.0.0 Dst Adrs=0.0.0.0 Protocol=6 Src Port Cmp=None Src Port #=N/A Dst Port Cmp=Eql Dst Port #=80 TCP Estab=No > (hmm why not incoming) Which interface are you installing your filters on? LAN A +----+ Pipeline +----+ MAX +----+ LAN B +----+ Router +----+ Internet If you are putting the filter on the LAN interface of the Pipeline then if you want to block packets from LAN A, it should be an "Input" filter. If you are putting the filter on the WAN interface of the Pipeline then if you want to block packets from LAN A, it should be an "Output" filter. If you are putting the filter on the WAN interface of the MAX then if you want to block packets from LAN A, it should be an "Input" filter. If you are putting the filter on the LAN interface of the MAX then if you want to block packets from LAN A, it should be an "Output" filter. ++ Ascend Users Mailing List ++ To unsubscribe: send unsubscribe to ascend-users-request@bungi.com To get FAQ'd: <<A HREF="http://www.nealis.net/ascend/faq">http://www.nealis.net/ascend/faq</A>> -- Tim Connolly tec@mountain.net MountainNet, Inc. -- (800) 444-1458 ext. 37 2816 Cranberry Square -- fax (304) 594-9088 Morgantown, WV 26505 ++ Ascend Users Mailing List ++ To unsubscribe: send unsubscribe to ascend-users-request@bungi.com To get FAQ'd: <<A HREF="http://www.nealis.net/ascend/faq">http://www.nealis.net/ascend/faq</A>> </PRE> <!--X-MsgBody-End--> <!--X-Follow-Ups--> <!--X-Follow-Ups-End--> <!--X-References--> <HR> <STRONG>References</STRONG>: <UL> <LI><STRONG><A HREF="msg11305.html">(ASCEND) filters</A></STRONG></LI> <UL> <LI><EM>From</EM>: Paul Monaghan <paulm@ican.net></LI> </UL> </UL> <!--X-References-End--> <!--X-BotPNI--> <HR> <UL> <LI>Prev by Date: <STRONG><A HREF="msg11312.html">Re: (ASCEND) modemdiag output on 5.0Ap36</A></STRONG> </LI> <LI>Next by Date: <STRONG><A HREF="msg11314.html">(ASCEND) MAX2000 dialout to NT-RAS with MS-CHAP</A></STRONG> </LI> <LI>Prev by thread: <STRONG><A HREF="msg11305.html">(ASCEND) filters</A></STRONG> </LI> <LI>Next by thread: <STRONG><A HREF="msg11316.html">Re: (ASCEND) filters</A></STRONG> </LI> <LI>Index(es): <UL> <LI><A HREF="maillist.html#11308"><STRONG>Main</STRONG></A></LI> <LI><A HREF="thrd262.html#11308"><STRONG>Thread</STRONG></A></LI> </UL> </LI> </UL> <!--X-BotPNI-End--> <!--X-User-Footer--> <!--X-User-Footer-End--> </BODY> </HTML>